Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
-
Size
416KB
-
MD5
5b0af3dce15d92a5a7b8a37de83eeaa7
-
SHA1
6dcd0197106aad03ebb99fe5b48e07030eee313c
-
SHA256
75d39cde8311668ffaea4a2211eb81690af2cfb39e8407dd73fdac3e1c7cc777
-
SHA512
6c02ee833a5c348ebf81d00a27de74b727055636da4fb8cda0fbcc7f81d8627731c7af22842cb80b061f233d2f29791b1c1342c95d6fce611c7f5d28a7a4be61
-
SSDEEP
6144:BL0ofRj4RzQF/zpWDdnXrZ+S7fSShT7bh1XhtGpmjc95bTYDbpaX:BLVRsRzQDWDxZ+gf17bh1XEm4ffobpaX
Malware Config
Extracted
emotet
Epoch3
178.153.91.22:80
92.17.138.248:80
114.183.140.94:80
172.105.213.30:80
69.30.205.162:7080
50.63.13.135:8080
192.161.190.171:8080
210.111.160.220:80
181.44.166.242:80
41.218.118.66:80
46.17.6.116:8080
142.93.87.198:8080
113.52.135.33:7080
187.177.155.123:990
172.90.70.168:443
198.57.217.170:8080
123.142.37.165:80
95.216.212.157:8080
187.250.92.82:80
216.75.37.196:8080
157.7.164.178:8081
51.38.134.203:8080
72.27.212.209:8080
201.196.15.79:990
122.11.164.183:80
80.93.48.49:7080
85.105.183.228:443
46.105.131.68:8080
195.201.56.68:7080
192.210.217.94:8080
81.82.247.216:80
177.103.201.23:80
192.163.221.191:8080
201.183.251.100:80
78.46.87.133:8080
83.156.88.159:80
190.101.87.170:80
163.172.97.112:8080
172.104.70.207:8080
82.79.244.92:80
190.5.162.204:80
103.122.75.218:80
23.253.207.142:8080
182.176.116.139:995
119.159.150.176:443
60.53.3.153:8080
72.69.99.47:80
212.129.14.27:8080
5.189.148.98:8080
95.216.207.86:7080
124.150.175.129:8080
181.47.235.26:993
189.236.4.214:443
45.129.121.222:443
200.71.112.158:53
197.90.159.42:80
143.95.101.72:8080
189.180.105.125:443
139.162.185.116:443
191.100.24.201:50000
83.99.211.160:80
186.215.101.106:80
195.191.107.67:80
192.241.220.183:8080
161.18.233.114:80
172.245.13.50:8080
50.116.78.109:8080
138.197.140.163:8080
152.169.32.143:8080
190.189.79.73:80
186.66.224.182:990
193.33.38.208:443
212.112.113.235:80
83.110.107.243:443
89.215.225.15:80
211.218.105.101:80
124.150.175.133:80
181.197.108.171:443
176.58.93.123:80
81.213.145.45:443
162.144.46.90:8080
37.59.24.25:8080
188.230.134.205:80
187.233.220.93:443
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 footerlua.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE footerlua.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies footerlua.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 footerlua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix footerlua.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" footerlua.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" footerlua.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe 4296 footerlua.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1160 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3288 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 1160 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 1672 footerlua.exe 4296 footerlua.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3288 wrote to memory of 1160 3288 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 85 PID 3288 wrote to memory of 1160 3288 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 85 PID 3288 wrote to memory of 1160 3288 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe 85 PID 1672 wrote to memory of 4296 1672 footerlua.exe 97 PID 1672 wrote to memory of 4296 1672 footerlua.exe 97 PID 1672 wrote to memory of 4296 1672 footerlua.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe--ba70c3002⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Windows\SysWOW64\footerlua.exe"C:\Windows\SysWOW64\footerlua.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\footerlua.exe--d0db21732⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d28bdbffaae6a126e5b3e8418d19968a_5fd6b8d9-48b3-42c0-adc7-08f9fe7c965e
Filesize50B
MD54fda44f94340e6d3e4400360a1d25a01
SHA15d09264f7d0c020fd0522ba4017b712f1e505705
SHA25658c68b9e7b841ce312f0d780b4939acdcf7fde25b89034bd568b3709e687e58a
SHA5120756b8b65af19d587b9e265e392c4208beeffc2662bee705ce63b3b9aea7a2ee0aec0dfde8c888cced9282f9173a8a5a22648e005509ec612e99b14d7971b2e1